CN108073809A - APT Heuristic detection methods and system based on abnormal component liaison - Google Patents

APT Heuristic detection methods and system based on abnormal component liaison Download PDF

Info

Publication number
CN108073809A
CN108073809A CN201711420803.2A CN201711420803A CN108073809A CN 108073809 A CN108073809 A CN 108073809A CN 201711420803 A CN201711420803 A CN 201711420803A CN 108073809 A CN108073809 A CN 108073809A
Authority
CN
China
Prior art keywords
component
call relation
environment information
abnormal
caching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711420803.2A
Other languages
Chinese (zh)
Inventor
沈长伟
童志明
何公道
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Antiy Technology Co Ltd
Original Assignee
Harbin Antiy Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antiy Technology Co Ltd filed Critical Harbin Antiy Technology Co Ltd
Priority to CN201711420803.2A priority Critical patent/CN108073809A/en
Publication of CN108073809A publication Critical patent/CN108073809A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

The present invention proposes a kind of APT Heuristic detection methods and system based on abnormal component liaison, and inventive method includes:Whole launching process in monitoring system;The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;To the component that system newly obtains, its call relation and component environment information are recorded;By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge whether the component in system is abnormal, if, then alerted to user, and risk is prompted, otherwise by the call relation of the component of the new acquisition and the storage of component environment information into caching knowledge base.The present invention also proposes corresponding system and storage medium.By means of the invention it is also possible to effectively detection components, modularization, engineering, highly concealed type, complicated APT are attacked.

Description

APT Heuristic detection methods and system based on abnormal component liaison
Technical field
The present invention relates to computer network security technology field, more particularly to a kind of APT based on abnormal component liaison is opened Hairdo detection method and system.
Background technology
APT attacks are that a kind of advanced sustainability threatens, and APT attacks are with high concealment, specific aim, complexity Characteristic, the modularization of more and more functions uses, modular mode are realized.Component, which refers to, can complete function or a part of work( The independent individual of energy includes but not limited to executable program, dynamic link library etc..Modularization realize function, then need component it Between be associated calling, component liaison is to include but not limited to dynamic link to reach the relation of function formation between finger assembly Storehouse mode, process method of calling etc..The attack of attack load is launched in batches, and the batch time of component is launched in this kind of attack Interval time span is larger, but can not be malice by constructing each component meticulously, but the possible completion that combines is attacked Hit behavior.Traditional APT detection methods are detected based on single load, can not tackle the attack means of this complexity.
The content of the invention
Based on the above problem, the present invention proposes a kind of APT Heuristic detection methods based on abnormal component liaison and is System by component liaison relation, determines whether component is abnormal, solves the attacker that APT complexity can not be detected in conventional method Formula.
The present invention realizes by the following method:
A kind of APT Heuristic detection methods based on abnormal component liaison, including:
Whole launching process in monitoring system;
The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge Whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the component of the new acquisition Call relation and the storage of component environment information are into caching knowledge base.
In the method, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.
It is described based on matched rule in the method, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
In the method, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.
A kind of heuristic detecting systems of APT based on abnormal component liaison, including:
Process monitoring module, whole launching process in monitoring system;
Data obtaining module records the call relation of all components and component environment information, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
Matching module, by the call relation of the component newly obtained and component environment information with caching knowledge storehouse matching, based on matching Rule judges whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the new acquisition Component call relation and component environment information storage to caching knowledge base in.
In the system, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.
It is described based on matched rule in the system, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
In the system, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.
The present invention also proposes a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, the journey Any APT Heuristic detection methods based on abnormal component liaison as described above are realized when sequence is executed by processor.
Advantage of the invention is that:Traditional single load detection mode is changed into associated payload detection mode;Pass through Fine granularity environment information acquisition, based on intelligence learning algorithm, depth excavates abnormal associated component;And pass through a variety of decision plans And self-defined decision plan, increase detection uncertainty, improve APT intrusion scenes, reduce APT concealments.The technology of the present invention Scheme can effectively detection components, modularization, engineering, highly concealed type, the APT of complexity attack.Intelligence learning side simultaneously Method avoids frequent updating virus base in conventional method.
Description of the drawings
It, below will be to embodiment or the prior art in order to illustrate more clearly of technical solution of the invention or of the prior art Attached drawing is briefly described needed in description, it should be apparent that, the accompanying drawings in the following description is only in the present invention Some embodiments recorded, for those of ordinary skill in the art, without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of APT Heuristic detection method embodiment flow charts based on abnormal component liaison of the present invention;
Fig. 2 is a kind of heuristic detecting system structure diagrams of APT based on abnormal component liaison of the present invention.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the technical solution in the embodiment of the present invention, and make the present invention's Above-mentioned purpose, feature and advantage can be more obvious understandable, technical solution in the present invention made below in conjunction with the accompanying drawings further detailed Thin explanation.
The present invention realizes by the following method:
A kind of APT Heuristic detection methods based on abnormal component liaison, as shown in Figure 1, including:
S101:Whole launching process in monitoring system;
S102:The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;
S103:To the component that system newly obtains, its call relation and component environment information are recorded;
S104:By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, Judge whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the group of the new acquisition Call relation and component environment the information storage of part are into caching knowledge base.
In the method, the component environment information includes but not limited to, finally be called the time, component obtain source and Component acquisition modes etc., component obtain source including such as actively download, application program download and USB flash disk obtain.
It is described based on matched rule in the method, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;The component of such case, Ke Nengwei It is longer to enter system time for the multiple dispensing of APT attacks, such as a component, but do not generate calling with any other component Relation, but form chaining with the new inter-module into system, then there are suspicious;
The inter-module formation that different component acquisition modes obtain source with component associates;The component of such case may be that APT is attacked In order to hide the attack of itself, launched by various ways;
The different components that the frequent interconnected system of component newly obtains;Such as loader mode, dynamic link library is downloaded in Loader loadings;
And user-defined matched rule;By user-defined strategy, the hidden of APT attacks can be further reduced Tibetan property increases the uncertainty of detection.
In the method, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.Component that conventional call relation in system is called as required for when system starts, open it is clear Component of loading etc. required for the component and playout software of the required loading of device of looking at.
A kind of heuristic detecting systems of APT based on abnormal component liaison, as shown in Fig. 2, including:
Process monitoring module 201, whole launching process in monitoring system;
Data obtaining module 202 records the call relation of all components and component environment information, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
Matching module 203, by the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on With rule, judge whether the component in system is abnormal, if it is, being alerted to user, and prompts risk, is otherwise newly obtained described Call relation and component environment the information storage of the component taken are into caching knowledge base.
In the system, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.
It is described based on matched rule in the system, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
In the system, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.
The present invention also proposes a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, the journey Any APT Heuristic detection methods based on abnormal component liaison as described above are realized when sequence is executed by processor.
Advantage of the invention is that:Traditional single load detection mode is changed into associated payload detection mode;Pass through Fine granularity environment information acquisition, based on intelligence learning method, depth excavates abnormal associated component;And pass through a variety of decision plans And self-defined decision plan, increase detection uncertainty, improve APT intrusion scenes, reduce APT concealments.The technology of the present invention Scheme can effectively detection components, modularization, engineering, highly concealed type, the APT of complexity attack.Intelligence learning side simultaneously Method avoids frequent updating virus base in conventional method.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Point just to refer each other, and the highlights of each of the examples are difference from other examples.It is real especially for system For applying example, since it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method Part explanation.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and Change the spirit without departing from the present invention, it is desirable to which appended claim includes these deformations and changes without departing from the present invention's Spirit.

Claims (9)

1. a kind of APT Heuristic detection methods based on abnormal component liaison, which is characterized in that including:
Whole launching process in monitoring system;
The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge Whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the component of the new acquisition Call relation and the storage of component environment information are into caching knowledge base.
2. the method as described in claim 1, which is characterized in that the component environment information includes at least:When being finally called Between, component obtain source and component acquisition modes.
3. method as claimed in claim 2, which is characterized in that it is described based on matched rule, judge component in system is whether It is abnormal, be specially:If the component in system meets following matched rule, corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
4. the method as described in claim 1, which is characterized in that further include:Caching knowledge base passes through intelligence learning associated component Call relation, white list is automatically added to conventional call relation.
5. a kind of heuristic detecting systems of APT based on abnormal component liaison, which is characterized in that including:
Process monitoring module, whole launching process in monitoring system;
Data obtaining module records the call relation of all components and component environment information, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
Matching module, by the call relation of the component newly obtained and component environment information with caching knowledge storehouse matching, based on matching Rule judges whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the new acquisition Component call relation and component environment information storage to caching knowledge base in.
6. system as claimed in claim 5, which is characterized in that the component environment information includes at least:When being finally called Between, component obtain source and component acquisition modes.
7. system as claimed in claim 6, which is characterized in that it is described based on matched rule, judge component in system is whether It is abnormal, be specially:If the component in system meets following matched rule, corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
8. system as claimed in claim 5, which is characterized in that further include:Caching knowledge base passes through intelligence learning associated component Call relation, white list is automatically added to conventional call relation.
9. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program quilt The APT Heuristic detection methods based on abnormal component liaison as described in any in claim 1-4 are realized when processor performs.
CN201711420803.2A 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison Pending CN108073809A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711420803.2A CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711420803.2A CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Publications (1)

Publication Number Publication Date
CN108073809A true CN108073809A (en) 2018-05-25

Family

ID=62155898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711420803.2A Pending CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Country Status (1)

Country Link
CN (1) CN108073809A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101373502A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
US20090158430A1 (en) * 2005-10-21 2009-06-18 Borders Kevin R Method, system and computer program product for detecting at least one of security threats and undesirable computer files
US20100058431A1 (en) * 2008-08-26 2010-03-04 Mccorkendale Bruce Agentless Enforcement of Application Management through Virtualized Block I/O Redirection
CN104794399A (en) * 2015-04-23 2015-07-22 北京北信源软件股份有限公司 Terminal protection system and method based on massive program behavior data
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
US20090158430A1 (en) * 2005-10-21 2009-06-18 Borders Kevin R Method, system and computer program product for detecting at least one of security threats and undesirable computer files
CN101373502A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
US20100058431A1 (en) * 2008-08-26 2010-03-04 Mccorkendale Bruce Agentless Enforcement of Application Management through Virtualized Block I/O Redirection
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN104794399A (en) * 2015-04-23 2015-07-22 北京北信源软件股份有限公司 Terminal protection system and method based on massive program behavior data
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source

Similar Documents

Publication Publication Date Title
US10929533B2 (en) System and method of identifying malicious files using a learning model trained on a malicious file
CN106682495B (en) Safety protection method and safety protection device
US20200204465A1 (en) System and Method for Cloud-Based Control-Plane Event Monitor
US11200318B2 (en) Methods and apparatus to detect adversarial malware
US20110154489A1 (en) System for analyzing malicious botnet activity in real time
US20180157826A1 (en) Isolating Data for Analysis to Avoid Malicious Attacks
Calderon The benefits of artificial intelligence in cybersecurity
US20190163901A1 (en) Computer device and method of identifying whether container behavior thereof is abnormal
CN104573497B (en) A kind for the treatment of method and apparatus of startup item
US11443032B2 (en) Stack pivot exploit detection and mitigation
CN104025102A (en) System And Method For Detecting A File Embedded In An Arbitrary Location And Determining The Reputation Of The File
US10055251B1 (en) Methods, systems, and media for injecting code into embedded devices
US20210226993A1 (en) Multiple personality deception systems
Rosenberg et al. Bypassing system calls–based intrusion detection systems
CN108197468A (en) A kind of Intranet attack intelligent protection system of mobile memory medium
US9881155B2 (en) System and method for automatic use-after-free exploit detection
CN108073809A (en) APT Heuristic detection methods and system based on abnormal component liaison
US20220188408A1 (en) Software Build System Protection Engine
WO2022252039A1 (en) Method and apparatus for adversarial attacking in deep reinforcement learning
EP3588351B1 (en) System and method of identifying malicious files using a learning model trained on a malicious file
CN106815523B (en) A kind of malware defence method and device
CN117009970B (en) Method for generating malicious software countermeasure sample in blind feature scene and electronic equipment
US11843618B1 (en) Optimized analysis for detecting harmful content
US11848944B1 (en) Dynamic analysis for detecting harmful content
US20230274000A1 (en) Computer-implemented automatic security methods and systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 150090 Room 506, No. 162 Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang Province

Applicant before: Harbin Antiy Technology Co., Ltd.

CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Heilongjiang Province (No. 838, Shikun Road)

Applicant after: Antan Technology Group Co.,Ltd.

Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road)

Applicant before: Harbin Antian Science and Technology Group Co.,Ltd.

CB02 Change of applicant information
RJ01 Rejection of invention patent application after publication

Application publication date: 20180525

RJ01 Rejection of invention patent application after publication